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Abstract 

Annotated pushdown automata provide an automaton model of higher-order recursion 
schemes, which may in turn be used to model higher-order programs for the purposes of 
verification. We study Ground Annotated Stack Tree Rewrite Systems - a tree rewrite 
system where each node is labelled by the configuration of an annotated pushdown au¬ 
tomaton. This allows the modelling of fork and join constructs in higher-order programs 
and is a generalisation of higher-order stack trees recently introduced by Penelle. 

We show that, given a regular set of annotated stack trees, the set of trees that can 
reach this set is also regular, and constructible in n-EXPTIME for an order-n system, 
which is optimal. We also show that our construction can be extended to allow a global 
state through which unrelated nodes of the tree may communicate, provided the number 
of communications is subject to a fixed bound. 


1 Introduction 

Modern day programming increasingly embraces higher-order programming, both via the in¬ 
clusion of higher-order constructs in languages such as C++, JavaScript and Python, but also 
via the importance of callbacks in highly popular technologies such as JQuery and Node.js. For 
example, to read a file in Node.js, one would write 

fs.readFile('f.txt', function (err, data) { ..use data.. }); 

In this code, the call to readFile spawns a new thread that asynchronously reads f .txt and 
sends the data to the function argument. This function will have access to, and frequently use, 
the closure information of the scope in which it appears. The rest of the program runs in parallel 
with this call. This style of programming is fundamental to both JQuery and Node.js program¬ 
ming, as well as being a popular for programs handling input events or slow 10 operations such 
as fetching remote data or querying databases (e.g. HTMLS’s indexedDB). 

Analysing such programs is a challenge for verification tools which usually do not model 
higher-order recursion, or closures, accurately. However, several higher-order mo del-checking 
tools have been recently developed. This trend was pioneered by Kobayashi et al. m who de¬ 
veloped an intersection type technique for analysing higher-order recursion schemes - a model 
of higher-order computation. This was implemented in the TRecS tool |16) which demonstrated 
the feasibility of higher-order mo del-checking in practice, despite the high theoretical complex¬ 
ities ((n — 1)-EXPTIME for an order-n recursion scheme). This success has led to the devel¬ 
opment of several new tools for analysing recursion schemes: GTRecS |181120) . TravMC |27| . 
C-SHORe m, HorSat [7], and Preface [5T] . 

In particular, the C-SHORe tool is based on an automata model of recursion schemes called 
annotated (or collapsible) pushdown systems |14| . This is a generalisation of pushdown systems 
- which accurately model first-order recursion - to the higher-order case. C-SHORe implements 
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a saturation algorithm to perform a backwards reachability analysis, which first appeared in 
ICALP 2012 [n]. Saturation was popularised by Bouajjani et al. [T] for the analysis of pushdown 
systems, which was implemented in the successful Moped tool |341136| . 

Contributions In this work we introduce a generalisation of annotated pushdown systems: 
ground annotated stack tree rewrite systems (GASTRS). A configuration of a GASTRS is an 
annotated stack tree - that is, a tree where each node is labelled by the configuration of an 
annotated pushdown system. Operations may update the leaf nodes of the tree, either by 
updating the configuration, creating new leaf nodes, or destroying them. Nodes are created 
and destroyed using 

P ^ {Pi, ■ ■ ■ ,Pm) and {p[,... ,p'^) ^ p 

which can be seen as spawning m copies of the current process (including closure information) 
using the first rule, and then later joining these processes with the second rule, returning control 
to the previous execution (parent node). Alternatively, we can just use p ^ {pi,P 2 ) for a basic 
fork that does not join. 

This model is a generalisation of higher-order stack trees recently introduced by Penelle Eqi, 
where the tree nodes are labelled by a restriction of annotated pushdown automata called 
higher-order pushdown automata. 

As our main contribution, we show that the global backwards reachability problem for 
GASTRSs can be solved via a saturation technique. That is, given a regular target set of 
annotated stack trees, we compute a regular representation of all trees from which there is a 
run of the system to the target set. Note that being able to specify a target set of trees allows us 
to identify error states such as race conditions between threads. Our result is a generalisation 
of the IGALP 2012 algorithm, and as such, may be implemented as part of the G-SHORe tool. 

Moreover, we define a notion of regularity amenable to saturation which is also closed under 
the standard boolean operations. 

As a final contribution, we show that the model can be extended to allow a bounded amount 
of communication between separate nodes of the tree. I.e., we add a global state to the system 
and perform a “context-bounded” analysis [32], where the global state can only be changed an 
a priori fixed number of times. 

Related Work Annotated pushdown systems are a generalisation of higher-order pushdown 
systems that provide a model of recursion schemes subject to a technical constraint called 
safety [Sini and are closely related to the Caucal hierarchy [^ . Parys has shown that safety 
is a genuine constraint on dehnable traces j^nj. Panic automata provided the hrst model of 
order-2 schemes, while annotated pushdown systems model schemes of arbitrary order. These 
formalisms have good model-checking properties. E.g. u-calculus decidability [2^I14| . Krivine 
machines can also be used to model recursion schemes [33] . 

There has been some work studying concurrent variants of recursion scheme model checking, 
including a context-bounded algorithm for recursion schemes |19j . and further underapproxi¬ 
mation methods such as phase-bounded, ordered, and scope-bounding [HISS]. These works 
allow only a fixed number of threads. 

Dynamic thread creation is permitted by both Yasukata et al. EZI and by Ghadha and 
Vis wanat hail nnj. In Yasukata et al.A model, recursion schemes may spawn and join threads. 
Communication is permitted only via nested locks, whereas in our model we allow shared 
memory, but only a bounded number of memory updates. Their work is a generalisation 
of results for order-1 pushdown systems mi. Ghadha and Viswanathan allow threads to be 
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spawned, but only one thread runs at a time, and must run to completion. Moreover, the tree 
structure is not maintained. 

Saturation methods also exist for ground tree rewrite systems and related systems |241 l^[2^. 
though use different techniques. Our context-bounded model relates to weak GTRS with state 
introduced by Lin |23]. Adding such weak state to process rewrite systems was considered by 
Kreti'nsky et al. m- 

A saturation technique has also been developed for dynamic trees of pushdown processes |3] . 
These are trees where each process on each node is active (in our model, only the leaf nodes are 
active). However, their spawn operations do not copy the current process, losing closure infor¬ 
mation. It would be interesting and non-trivial to study the combination of both approaches. 

Penelle proves decidability of first order logic with reachabilty over rewriting graphs of 
ground stack tree rewriting systems |30| . This may be used for a context-bounded reachability 
result for higher-order stack trees. This result relies on MSO decidability over the configuration 
graphs of higher-order pushdown automata, through a finite set interpretation of any rewriting 
graph of a ground stack tree rewriting system into a configuration graph of a higher pushdown 
automaton. This does not hold for annotated pushdown automata. 


2 Preliminaries 

Trees 

An ordered tree over arity at most d over a set of labels T is a tuple (T>, A) where V C {!,..., d]* 
is a tree domain such that vi € T> implies v & T> (prefix closed), and vj € T) for all j < i 
(younger-sibling closed), and A : 2A —> T is a labelling of the nodes of the tree. Let v ^ v' 
denote that v is an ancestor (inclusive) of v' in the tree. We write t[v —)■ 7 ] to denote the 
tree t' = {V U {u} , A') where \'{v) = 7 and A'(u') = A(u') for v' ^ v, whenever t = {V, A) and 
V U {u} is a valid tree domain. We will also write t' = t\V to denote the tree obtained by 
removing all subtrees rooted at u G H from t. That is t' = {V, A') when t = {V, A) and 

V' = V\{v' \ V GV Av ^v'} 

A'(.) = 

undefined otherwise. 


Annotated stacks 

Let S be a set of stack symbols. An annotated stack of order-n is an order-n stack in which 
stack symbols are annotated with stacks of order at most n. For the rest of the paper, we fix 
the maximal order to n, and use k to range between n and 1 . We simultaneously define for all 
1 < k < n, the set of stacks of order-A: whose symbols are annotated by stacks of order at 
most n. Note, we use subscripts to indicate the order of a stack. We ensure all stacks are finite 
by using the least fixed-point. When the maximal order n is clear, we write instead of 

Definition 2.1 (Annotated Stacks). The family of sets ) is the smallest family (for 

point-wise inclusion) such that: 

• for all 2 < k < n, is the set of all (possibly empty) sequences [si...Sm]j, with 

Sl, • ■ • , Sm G 
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• is all sequences ... a^]]^ with m > 0 and for all 1 < i < m, j ai is a stack symbol 
in E and Si is an annotated stack in U 

l<k<n 

We write s :k s' — where s is order-(A: — 1) — to denote the stack obtained by placing s on 
top of s' . That is, 

• if s' = [si... Sm]k then s :k s' = [ssi ... Sm]^, and 

• if s' = [si... Sm]k' with k' > k then s :fe s' = [(s :fc Si) S 2 ... s„]^,. 

This composition associates to the right. For example, the order-3 stack [[[a^&]i] 2]3 can be 
written si :3 S 2 where si is the order-2 stack [[a®fc] 3]2 and S 2 is the empty order-3 stack [Jg. 
Then si :3 si :3 S 2 is [[[a-''b]^]^ [[a®&]i] 2 ] 3 - 

Note that we cannot write (si ik S 2 ) '-k S 3 since (si ik S 2 ) is not order-(A: — 1). 


Operations on Order-n Annotated Stacks 

For a given alphabet S, we define the set Ops^ of stack operations inductively as follows: 

Opsg = {rewa^b I a,5 G S} Opsf = {pushj.popi} U OpSg 
Ops^ = {push", push„, pop„, collapse„} U Opsf„_i) 

We define each operation for a stack s. Annotations are created by push^, which adds a 
character to the top of a stack s :(fe+i) s' annotated by popj.(s). This gives the new character 
access to the context in which it was created. 

1. We set rewa->. 6 ^a^' :i = b"' :i s. 

2. We set push^(s) = :i s when s = -i S 2 '2 ■■ ■ -k Sk -{k+i) ‘‘ -n s„. 

3. We set pushj,(s :k s') = s :k s :k s'. 

4. We set pop;.(s :k s') = s'. 

5. We set collapse^,(a^ :i si :(fc+i) S 2 ) = s :(fc+i) S 2 when s is order-A: and n > fc > 1; and 
collapse„(a® :i s') = s when s is order-n. 

3 Annotated Stack Trees 

An annotated stack tree is a tree whose nodes are labelled by annotated stacks. Furthermore, 
each leaf node is also labelled with a control state. Let STrees^ denote the set of order-n 
annotated stack trees over E. 

Definition 3.1 (Order-n Annotated Stack Trees). An order-n annotated stack tree over an 
alphabet E and set of control states F is a U (P x -labelled tree t = (H, A) such that 
for all leaves v of t we have X{v) G P x and for all internal nodes v of t we have X{v) G 5^. 
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3.1 Annotated Stack Tree Operations 

Definition 3.2 (Order -n Annotated Stack Tree Operations). Over a given finite alphabet S 
and finite set of control states P, the set of order-n stack tree operations is defined to be 

STOps^’”” = I ePju 

|p A- p' I cr e Ops^ A p, p' e PI . 

Stack operations may be applied to any leaf of the tree. Let t,. denote the ith leaf of tree 
t. We define the local application of a operation to the ith leaf as follows. Let t = {V, A) and 
Ht»i) = (P>s) 

Ap(p = t[t,, ^ {p',a{s))] 

Ap(^p ^ (pi,... ,Pm) ^ s][t,,l ^ {pi,s)]-■-[U-m ^ {pm,s)] 

and when = vm are the only children of v, A(t.J = 

^(j'9i + rn — l'} — ^^id A('u) — S, 

Ap((pi,...,Pm) ^Pfi,tj = (t\ {t.i,--.,t.i+^_^})[v (p,s)] . 

For all 9 G STOps^’*^ we write 9{t) to denote the set {t' \ 3i.t' = Ap(0, i, t) }. 

3.2 Ground Annotated Stack Tree Rewrite Systems 

Definition 3.3 (Order-n Ground Annotatee Stack Tree Rewrite Systems). An order-n ground 
annotated stack tree rewrite system (GASTRS) Q is a tuple (S, P, TV) where T, is a finite stack 
alphabet, P is a finite set of control states, and TZ C STOps^’'*” is a finite set of operations. 

A configuration of an order-n GASTRS is an order-n annotated stack tree t over alphabet 
S. We have a transition t ^ t' whenever there is some 6 GTZ and t' G 9{t). We write t —>■* t' 
when there is a run t = to ^ ^ t^ = t'. 

3.3 Regular Sets of Annotated Stack Trees 

We define a notion of annotated stack tree automata for recognising regular sets of annotated 
stack trees. We give an initial exposition here, with more details (definitions and proofs) in 
Appendix]^ In particular, we have the following result. 

Proposition 3.1. Annotated stack tree automata form an effective boolean algebra, membership 
is in linear time, and emptiness is PSPACE-complete. 

Transitions of stack tree automata are labelled by states of stack automata which have 
a further nested structure [5]. These automata are based on a similar automata model by 
Bouajjani and Meyer |^. We give the formal definition with intuition following. 

Definition 3.4 (Order -n Annotated Stack Tree Automata). An order-n stack tree automaton 
over a given stack alphabet S and set of control states ¥ is a tuple 

T = (Q, Rn,..., Ri, S, A, An,, ...,Ai,P,F,Fn,...,Fi) 
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where Ti is a finite stack alphabet, Q is a finite set of states, 

AcQx{(i,m) I l<'i<m}x(Q\F)x ]R„ 

is a finite set of transitions, P C Q and F C Q are initial and final states respectively, and 

1. for alln> k > 2, we have is a finite set of states, C Rj, xRfc_i x 2®*" is a transition 
relation, and F^ C K;. is a set of accepting states, and 

2. Ri is a finite set of states, Ai C [J x E x 2®*" x 2®i) is a transition relation, and 

2<k<n 

Fi C Ri is a set of accepting states. 

3.3.1 Accepting Stacks 

Order-fc stacks are recognised from states in Rfc. A transition {r,r',R) € A^ from r to i? for 

some A: > 1 is denoted r ^ R and can be fired when the stack is s ife s' and s is accepted from 
r' G R(fe_i). The remainder of the stack s' must be accepted from all states in R. At order-1, 
a transition {r,a, R^r, R) S Ai is denoted r - > R and is a standard alternating a-transition 

-^br 

with the additional requirement that the stack annotating a is accepted from all states in i?br- 
A stack is accepted if a subset of Ffc is reached at the end of each order-fc stack. Note, we give 
a more formal definition of a run in Appendix |Al We write s £ Cr{‘T) whenever s is accepted 
from a state r. 

An order-n stack can be represented naturally as an edge-labelled tree over the alphabet 
{[„_!,..., [i, ]i,..., ]re_i} W E, with E-labelled edges having a second target to the tree repre¬ 
senting the annotation. For technical convenience, a tree representing an order-fc stack does 
not use [fc or ]fe symbols (these appear uniquely at the beginning and end of the stack). An 
example order-3 stack is given below, with only a few annotations shown. The annotations are 
order-3 and order-2 respectively. 


[2 [i a 5 ]i ]2 [2 [1 c ]i h [1 c ]i 



An example (partial) run over this stack is pictured below, using transitions r^ R^ G A 3 , 
r 2 ^ i ?2 G A 2 , and ri —^ i?i G Ai. The node labelled i?br begins a run on the stack 

-f^br 

annotating a. 


7-3 —». 7-2 —n —^ Rl —*■ • • • — R2 —• • • — R3 —• • • Rhv —*■ • • ■ 


3.3.2 Accepting Stack Trees 

Annotated stack tree automata are bottom-up tree automata whose transitions are labelled by 
states from which stacks are accepted. We denote by 


9 ^i/m 

a transition {q,i,m,q',r) G A. Observe that g' ^ F by definition. When a node v has children 
ui,..., Vm, the transition above could be applied to the ith child Vi. It can be applied when Vi 
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is already labelled by q' and the stack Si attached to Vi is accepted from state r of the stack 
automaton. If it is applied, then q will be set as the label of the parent v. Over runs of the 
automaton we enforce that every child is present and the transitions applied at each child agree 
on the state assigned to its parent. 

Let As(u) = s when X{v) = {p,s) or X{v) = s. Given an order-n annotated stack tree 
t = {V, X) a run of an automaton T is a Q-labelled tree (2?, A') where each leaf v of t has 
X'{v) = p whenever X{v) = {p, s) for some s, and each internal node v with children ul,..., vm 
has a label X'{v) = q only if we have transitions 

Q ^ l/m ^l) ; • ■ • ; Q ^ mjva ^m) j 

and X'{vi) = qi and Xs{vi) G for all 1 < i < m. Finally A'(£) = q and we have a 

transition qf i/i iq,r) with qf and As(£) € Cr{T). 

We write £(T) to denote the set of trees accepted by T. 


3.4 Notation and Conventions 

3.4.1 Number of Transitions 

We assume for all pairs of states q,q' € Q and each i, m there is at most one transition of the 
form q -^i/m (9^7’)• Similarly we assume for all r € Mfc and R C that there is at most one 

transition of the form r R G A^. This condition can easily be ensured by replacing pairs of 

transitions r R and r R with a single transition r R, where r' accepts the union of 
the languages of stacks accepted from ri and £ 2 . Similarly for transitions in A. 


3.4.2 Short-form Notation 


Consider the example run shown above. This run reads the top of every level of the stack: the 
transition to i ?3 reads the topmost order-2 stack, the transition to R 2 reads the order-1 stack 
at the top of this stack, and the transition to i?i and i?br reads the top character of the order-1 
stack. 

The saturation algorithm relies on stack updates only affecting the topmost part of the 
stack. Thus, we need a notation for talking about the beginning of the run. Hence, we will 
write the run in the figure above (that reads the topmost parts of the stack) as a “short-form” 
transition 

£3 ^ (i?i,...,i?3) . 

Ttbr 

In the following, we define this notation formally, and generalise it to transitions of a stack tree 
automaton. In general, we write 

£ {Ri,...,Rk) and r ^ {Rk'+i, ■ ■ ■, Rk) ■ 


In the first case, r G 

Rk—i G A/g—i, ..., £1 


Rbt 


and there exist £fe_i,... ,£i such that r Rk G A^, Vk-i ^ 

¥ Ri G Ai. Since we assume at most one transition between any state 


and set of states, the intermediate states £fc-i,..., £1 are uniquely determined by r, a, i?br and 
R\ ,..., Rk . 

In the second case, either k = k' and r = r' G M.k, or k > k' and we have r G M.k, 
r' G Rfe', and there exist £fe_i,... ,£fe'+i with r 

’’k' + l 


~ ^ Rk € ^k—1 ^ Rk—1 ^ ^k—li ' • ' 1 


rk'+2 


Rk '+2 G Afc /_|_2 and £fe'+i —> Rk'+i G Afc/_|_i. 
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We lift the short-form transition notation to transitions from sets of states. We assume that 
state-sets IR„,... ,Ri are disjoint. Suppose R = {ri,... ,rm} and for all 1 < i < m we have 
Tj [R\, ..., Rl). Then we have R —^ (i?i,..., Rk) where i?br = Ui<i<m 

k, Rk = Ui<i<m ^k- Because an annotation can only be of one order, we insist that i?br Q 
for some k. 

We generalise this to trees as follows. We write 

Q t i^rn (,Q ; a, Rhr-j Rl: • • ■ t Rn') and q i i/m ^ ; Rk+1 }•••■> Rn) 

when q ^^/m (<?', r) and r (i?i, .. • Rn) or, respectively, r ^ {Rk+i, ■ ■ ■ Rn)- 

Rhr 

Finally, we remark that a transition to the empty set is distinct from having no transition. 


4 Backwards Reachability Analysis 

Fix a GASTRS Q and automaton To for the remainder of the article. We define 

Pre^(ro) = {t I t t' A t' G £{%) } - 

We give a saturation algorithm for computing an automaton T such that C{T) — Preg(7o)- 
Indeed, we prove the following theorem. The upper bound is discussed in the sequel. The lower 
bound comes from alternating higher-order pushdown automata [8] and appears in Appendix IdI 

Theorem 4.1. Given an order-n GASTRS Q and stack tree automaton To, Preg(To) regular 
and computable in n-EXPTIME, which is optimal. 

For technical reasons assume for each p there is at most one rule (pi,... ,Pm) —^ P- E.g., we 
cannot have (pi,P 2 ) —> P and {Pi,P 2 ) —^ P- This is not a real restriction since we can introduce 
intermediate control states. E.g. (pi,P 2 ) ^ Pi ,2 and pi _2 p and (Pi,P 2 ) —^ Pi 2 ^ad 

f reWa_,a r 11 

p\ 2 -^ P tor all a G 2 j. 

Initial States 

We say that all states in P are initial. Furthermore, a state r is initial if there is a transition 
9 ^i/m (9^ f) or if there exists a transition r' —>■ i? in some A^. We make the assumption that 
all initial states do not have any incoming transitions and that they are not finaR. Furthermore, 
we assume any initial state only appears on one transition. 

New Transitions 

When we add a transition q ^i/m (9^ a, i?br, Ri, • ■ •, Rn) to the automaton, then, we add 
q <—i/m (9^ ^n) to A if it does not exist, else we use the existing r„, and then for each n > k > 1, 
we add Rk to A^ if a transition between and Rk does not already exist, otherwise 

we use the existing transition and state rk-i; finally, we add ri - > Ri to Ai. 


^Hence automata cannot accept empty stacks from initial states. This can be overcome by introducing a 
bottom-of-stack symbol. 










The Algorithm 

We give the algorithm formally here, with intuitive explanations given in the follow section. 
Saturation is a fixed point algorithm. We begin with a GASTRS Q = (S,7^) and target set 
of trees by To. Then, we apply the saturation function and obtain a sequence of automata 
7i_i_i = The algorithm terminates when TI+i = 71 in which case we will have £(7i+i) = 

Prea(ro). 

Following the conventions described above for adding transitions to the automaton, we can 
only add a hnite number of states to the automaton, which implies that only a finite number 
of transitions can be added. Hence, we must necessarily reach a fixed point for some i. 

Given %, we define 7i+i = ■£{%) to be the automaton obtained by adding to % the following 
transitions and states. 

• For each rule p p' £ 77 and transition q ^j/m (p't b, Rhr, Ri, ■ ■ ■, Rn) in 71, add 

to Ti+i the transition q ^—jjm iPi n, -Rbr, Rh ■ ■ ■, Rn)- 

push^ 

• For each rule p -4 p' £ 77, transition q <—j/m [p', n, -Rbr, Ri, • ■ •, Rn), and Ri -5- R[ 

^hr 

in 7i, add 

m (p, (J, R\^j-, R\ , R 2 , ■ ■ • , Rk—l, Rk G Rbr, Rk-\-l, • • ■ , Rn) 
to 7i+i when A: > 1, and q <^j/m {p, n, R{^^, R[ U i?br, R 2 , ■ ■ ■, Rn) when A: = 1. 

• For each rulep ^ p' £ 77 and q (p^ o-, Rhr, Ri, ■ ■ ■, Rn) and Rk —^ {R [,..., i?J.) 

^br 

in Ti, add to Ti+i 

7 m i^P, -^br G Rbr , R^ G R\ , • • • , Rk — 1 G Rk — 1 , Rk, Rk-\-^ , - - - , Rn) 




For each rule p p' £ 77 and q (p', rk, Rk+i, ■ ■ ■, Rn) in 7), add to 7i+i for each 

a £ S 


q j/m (7*,n,0,0,...,0,{rfc} , Rk-\-i , Rn) • 


• For each rule p - ^ - > p' £ 77 and q ■^j/m ip', fk, Rk+i, ■ ■ ■, Rn) in %, add to 7i+i for 

each a £ E 

q^j/m (p,a,{rfc},0, ...,0,7?fe+i,...,7?„) . 

• For each rule p ^ (pi,... ,Pm) S 77 and q W, a, Rhr, Ri, ■ ■ ■, Rn) and 

q'^i/ m i^Pl j -^br? i?l, . . . , 1 • ■ ■ Q mjm {jP2, n, Rhr, Rl, - ' • , Rn) 

in Ti, add to T+i 

q ^ j / m' (P, n, Rhr, R\, - • - , Rn) 

where 7?b = 7?br G G • ■ • G and for all k, we have = 7?i G 7?^ G ■ • ■ G i?™. 

• For each rule (pi,...,pm) ^ p £ 77 and G E add to T+i the transitions 

p <—j/m iPj, Oj, 0,0,. ■ •, 0) for each 1 < j < m. 
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4.0.3 Intuition of the Algorithm 

Since rules may only be applied to the leaves of the tree, the algorithm works by introducing 
new initial transitions that are derived from existing initial transitions. Consider a tree t with 
a leaf node v labelled by :i s). Suppose this tree were already accepted by the automaton, 
and the initial transition q <^i/m (p, b, i?br, Ri, - ■ ■, Rn) is applied to v. 

If we had a rule p' p then we could apply this rule to a tree t' that is identical 

to t except V is labelled by :i s). After the application, we would obtain t. Thus, if t is 
accepted by the automaton, then t' should be accepted. 

The saturation algorithm will derive from the above rule and transition a new transition 
q (p^ b^ i?br, Rit ■ ■, Rn)- This transition simply changes the control state and top char¬ 

acter of the stack. Thus, we can substitute this transition into the accepting run of t to build 
an accepting run of t'. 

For a rule (pi) ^ p we would introduce a transition p (6,pi, 0,0,..., 0). We can add 
this transition to any accepting run of a tree with a leaf with control state p and it will have 
the effect of adding a new node with control state pi. Since we can obtain the original tree by 
applying the rule, the extended tree should also be accepted. The intuition is similar for the 
popfc and collapse^, operations. 

To understand the intuition for the push;,, push^ and p ^ (pi,...,pm) rules, one must 
observe that these rules, applied backwards, have the effect of replacing multiple copies of 
identical stacks with a single stack. Thus, the new transitions accept the intersection of the 
stacks that could have been accepted by multiple previous transitions: taking the union of two 
sets of automaton states means that the intersection of the language must be accepted. 

Correctness 

We have the following property. 

Property 4.1 (Correctness of Saturation). Given an order-n GASTRS, saturation runs in 
n-EXPTIME and builds an automaton R such that C{T) — Preg(7o). 

Proof. The proof of completeness is given in Lemma lB.il and soundness is given in Lemma lC.61 
The complexity is derived as follows. We add at most one transition of the form q {p, ?’) 

for each g, f, m and p. Hence we add at most a polynomial number of transitions to A. 

Thus, to A„ we have a polynomial number of states. We add at most one transition of the 

form r ^ R for each r and set of states R. Thus we have at most an exponential number of 
transitions in A„. 

Thus, in we have a number of states bounded by a tower of exponentials of height (n — k). 

Since we add at most one transition of the form r ^ R for each r and R we have a number 
of transitions bounded by a tower of exponentials of height (n — k + 1) giving the number of 
states in Kfe_i. 

Thus, at order-1 the number of new transitions is bounded by a tower of height n, giving 
the n-EXPTIME complexity. □ 


5 Context Bounding 

In the model discussed so far, communication between different nodes of the tree had to be done 
locally (i.e. from parent to child, via the destruction of nodes). We show that the saturation 
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algorithm can be extended to allow a bounded amount of communication between distant nodes 
of the tree without destroying the nodes. 

We begin by defining an extension of our model with global state. We then show that being 
able to compute Preg(7o) can easily be adapted to allow a bounded number of global state 
changes. 

5.1 GASTRS with Global State 

Definition 5.1 (Order-n Ground Annotatee Stack Tree Rewrite Systems with Global State). 
An order-n ground annotated stack tree rewrite system (GASTRS) with global state Q is a 
tuple (E,P, G,7^) where S is a finite stack alphabet, ¥ is a finite set of control states, G is a 
finite set of global states, and TZ C G x STOps^’*^ x G is a finite set of operations. 

A configuration of an order-n GASTRS with global state is a pair {g, t) where g € G and 
t is an order-n annotated stack tree over alphabet E. We have a transition {g,t) —>■ {g',t') 
whenever there is some {g,0,g') G TZ and t' G Oft). We write t -G-* t' when there is a run 
t = to ^ ^ tm = t'. 

5.2 The Context-Bounded Reachability Problem 

The context-bounded reachability problem is to compute the set of configurations from which 
there is a run to some target set of configurations, and moreover, the global state is only changed 
at most L times, where l is some bound given as part of the input. 

Definition 5.2 (Global Gontext-Bounded Backwards Reachability Problem). Given a GAS¬ 
TRS with global state Q , and a stack tree automaton for each g G G, and a bound i, the 
global context-bounded backwards reachability problem is to compute a stack tree automaton 
Tg for each g G G, such that t G TfTg) iff there is a run 

(gff) = {go,to) -t-1 {gni,tm) = {g',t') 

with t' G CfT^,') and there are at most l transitions during the run such that gi gi+i- 

5.3 Decidability of Context-Bounded Reachability 

Since the number of global state changes is bounded, the sequence of global state changes for 
any run witnessing context-bounded reachability is of the form go, ■■ ■ ,gm where m < l. Let G 
be the set of such sequences. 

Suppose we could compute for each such sequence g = go,... ,gm an automaton such 
that t G CfTg) iff there is a run from {go,t) to {gm,t') with t' G ^(7^„) where the sequence 
of global states appearing on the run is g. We could then compute an answer to the global 
context-bounded backwards reachability problem by taking 

%= \J Tgg . 

gg&G 

To compute 7g we first make the simplifying assumption (without loss of generality) that 
for each g g' there is a unique {g, 9, g') G TZ and moreover 9 = p p'. Furthermore, for 

all g G G we define Qg = (S, P, TZg) where 

TZg = {9 \ {g,9,g)GTZ} . 
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We compute 7g by backwards induction. Initially, when g = g we compute 

Ts = Prea^(r,) . 

It is immediate to see that Tg is correct. Now, assume we have g = gg' and we have already 
computed 7§', we show how to compute Tg. 

The hrst step is to compute 7^ such that t G iff (g^t) {g\t') where g' is the first 

state of g' and t' G £{Tg'). That is, 7~ accepts all trees from which we can change the current 
global state to g'. That is, by a single application of the unique rule {g,6,g'). Once we have 
computed this automaton we need simply build 

7i = P<(7i') 


and we are done. 

We first define T^' which is a version of Tg' that has been prepared for a single application 
of ((/, 0,g'). From this we compute Tg. 

The strategy for building 7^" is to mark in the states which child, if any, of the node has 
the global state change rule applied to its subtree. At each level of the tree, this marking 
information enforces that only one subtree contains the application. Thus, when the root is 
reached, we know there is only one application in the whole tree. Note, this automaton does 
not contain any transitions corresponding to the actual application of the global change rule. 
This is added afterwards to compute Tg. Thus, if 


Tg = 


A. A. 


,,Ai,P,F',F, 


,Fi) 


then 

T£ = (Q',...,Ml, S, A', A„,..., Ai,P,F',F„,...,Fi) 

where, letting m be the maximum number of children permitted by any transition of Tg, 


Q'= P U Q X {0,..., m} and W'= {{qf,i) | g/G F A 0 < i < m} 


and we define 


A' 

Ainit 

^noapp 

Apass 


Ainit Anoapp U Apass 


{q, 0 ) (p, r) 

iq,j) {p,r) 


q (p, ?■) e A} u 

Q ^ i/m (p, r) G A A z 7^ 7 } 


= {(9.0) ((g',0),r) \ q {q',r) G A} 


{qT) <-*/m {{q,j),r) I q ^^/m {q',r) G A} U 
iq,j) ((9,0),r) I q {q',r) G A A z j } 


In the above Ainit has two kinds of transitions. The first set are the initial transitions for the 
nodes to which the rewrite rule is not applied (indicated by the 0). The second set are the 
rules where the rewrite rule is applied at the jth sibling of the zth child. Next Anoapp are the 
transitions for subtrees which have not been marked as containing the application. Finally, 
Apass propagates information about where the application actually occurred up the tree. The 
first set of transitions in Apass are used when the zth child contains the application (hence it 
labels the parent with the information that the zth child contains the application). The second 
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set of transitions guess that the jth sibling contains the application. Thus, at any node, at 
most one child subtree may contain the application. The set of final states enforce that the 
application has occurred in some child. 

To compute T~, letting 9 = p - p' be the operation on the global state change, we 

add to 7g' a transition 

(^5 i) i i/m (P; ^5 .^br; • 5 Rn) 

for each 

Q ^ i/m {p',b,Rbr,Rl,---,Rn) 

inTi'- 

We remark that, as defined, Tg does not satisfy the prerequisites of the saturation algorithm, 
since initial states reading stacks might have incoming transitions, and, moreover, an initial 
state may label more than one transition. We can convert to the correct format using the 
automata manipulations in Appendix lAl 

Lemma 5.1. We have t G iff (pfy) (5^ t') via a single application of the transition 

ig,0,g') and t' G C{Tg'). 

Proof. First, assume t G We argue that there is exactly one leaf t,. read by a transition 

iq,i) ^i/m iP,r) and all other leaves are read by some (g, 0) <-^/m (p.r) or {q,j) ^i/m {p,r) 
with j i. 

If there is no such then all leaf nodes are read by some (g, 0) ^i/m {p,t)- Thus, all 
parents of the leaf nodes are labelled by (g, 0). Thus, take any node v and assume its children 
are labelled by some (g,0). It must be the case that v is also labelled by some (g,0) since 
otherwise it is labelled (g,i) and its ith child must be labelled by some (g, j) with j > 0, which 
is a contradiction. Hence, the accepting state of the run must also be some (g/, 0) which is not 
possible. 

If there are two or more leaves labelled by some (g, i) with i > 0 then each ancestor must 
also be labelled by some (g,i) with z > 0. Take the nearest common ancestor v and suppose it 
is labelled (g,z). However, since it has two children labelled with non-zero second components, 
we must have used a transition (g,z) ^j/m which, by definition, cannot exist. 

Hence, we have only one leaf t,. where 


(g, z) i {p, a, ^ 1 ) • ■ • ) Rn) 

is used. Obtain t' by applying p p' at this leaf. We build an accepting run of Tgi by 

taking the run of R- over t, projecting out the second component of each label, and replacing 
the transition used at t,. with 


g ^ i/m ip J Rhv^ Rl > ■ ■ ■ > Rn) ■ 


Hence, we are done. 

In the other direction take t and t' obtained by applying p p' at leaf t,.. We take 

the accepting run of Tg' over t' and build an accepting run of T~ over t. Let 

g t i/m ip 1 Rhr: Rl: • ■ ■ : Rn) ■ 
be the transition used at . We replace it with 

(g, z) i i/m iP: .^br; Rl: • • ■ : Rn) ■ 
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Starting from above the root node, let the jth child be the first on the path to t,. (the root node 
is the 1st child of “above the root node”). For all children except the jth, take the transition 
9 (9^^) used in the run over t'and replace it with (g,j) jm ((9^0)I^)• The remainder 

of the run in the descendents of these children requires us to use {q,0) /m ((9^0)J^) or 
(9,0) ^ i' jm {q,r) instead of q ^i>/m {q',r). 

For the jth child, we use instead of q ■<—j/m the transition {q,j) <^j/m 

when the j'th child of this child leads to t,. or the previously identified transition when the 
j'th child of this child is the leaf. 

We repeat the routine above until we reach t,., at which point we’ve constructed an accepting 
run of T~ over t. □ 

By iterating the above procedure, we obtain our result. 

Theorem 5.1 (Context-Bounded Reachability). The global context-bounded backwards reach¬ 
ability problem for GASTRS with global state is decidable. 


6 Conclusions and Future Work 

We gave a saturation algorithm for annotated stack trees - a generalisation of annotated push¬ 
down systems with the ability to fork and join threads. We build on the saturation method 
implemented by the C-SHORe tool. We would like to implement this work. We may also in¬ 
vestigate higher-order versions of senescent ground tree rewrite systems na, which generalises 
scope-bounding [22] to trees. 
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A Particulars of Annotated Stack Tree Automata 

Here we discuss various particulars of our stack tree automata: the definition of runs, the effec¬ 
tive boolean algebra, membership, emptiness, transformations to normal form, and comparisons 
with other possible stack tree automata definitions. 

A.l Definition of Runs over Stacks 

We give a more formal definition of a run accepting a stack. First we introduce some notation. 

r' 

For n > k > 1, we write i?i —> i ?2 to denote an order-fc transition from a set of states 

whenever Ri = {n,..., Vm} and for each 1 < i < m we have Vi Ri and R' = {r'l,..., r^} 
and i ?2 = analogous notation at order-1 is a special case of the short-form 

notation defined in Section 

Formally, fix an annotated stack tree automaton 

T = (Q, IK.„,..., Ri, E, A, A„, ...,Ai,P,F,F„,...,Fi) 

We say a node contains a character if its exiting edge is labelled by the character. Recall the 
tree view of an annotated stack, an example of which is given below. 

[2 [i a 5 ]i ]2 [2 [1 c ]i h [1 c ]i 

~C_/ ~C_/ 

Some stack (tree) s is accepted by T from states Rq C M.k — written s G CroO') — 
whenever the nodes of the tree can be labelled by elements of [ J 2**^' such that 

l<fe'<ra 
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1. i?o is a subset of the label of the node containing the first [k-i character of the word, or 
if fc = 1, the first character a S S, and 

2. for any node containing a character \k' labelled by i?, then for all ri S i?, there exists 

some transition (ri,r 2 ,i?i) S Afc/_|_i such that r 2 appears in the label of the succeeding 

node and i?i is a subset of the label of the node succeeding the matching ]k' character, 
and 

3. for any node containing a character J^/, the label i? is a subset of F^/, and the final node 
of an order-A: stack is labelled by i? C F^, and 

4. for any node containing a character a S S, labelled by i?, for all r' G R, there exists 

some transition {r',a, Rhi, R') G Ai such that i?br is a subset of the label of the node 

annotating a, and R' is a subset of the label of the succeeding node. 

That is, a stack automaton is essentially a stack- and annotation-aware alternating automa¬ 
ton, where annotations are treated as special cases of the alternation. 


A.2 Effective Boolean Algebra 

In this section we prove the following. 

Proposition A.l. Annotated stack tree automata form an effective boolean algebra. 

Proof. This follows from Proposition IA.2[ Proposition IA.31 and Proposition IA.4I below. □ 


Proposition A.2. Given two automata 


r = 


b,S,A,A„ 


, Ai,P,F,F„ 


,Fi) 


and 


r' = 




i'i,s,A',A;,...,A;,r,r,F;,...,F'i) 


there is an automaton T" which recognises the union of the languages of T and 


Proof. Supposing T and T' are disjoint except for P and no state p G P has 
transition, the automaton we construct is: 


r. 

any incoming 


/QUQ', \ 

'M.yi U j ■ • ■ : U , 

^ " AU A',A„U A;,...,Ai U A'l, 

P, 

\ FUF',F„UF;„...,Fi UF'i 

Every run in T (resp T') is a run of T" as every state and transition of T is in T". 

A run in T" is a run of T or of T', as every state and transition T" is in T or in T', and 
as the sets of states and transitions are disjoint except for initial states (which do not have 
incoming transitions), a valid run is either entirely in T or in □ 
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Proposition A. 3. Given two automata 


r = 


^n, ■ • ■ ; 


,Fi) 


and 

there is an automaton T" which recognises the intersection of the languages of T and f'. 
Proof. We construct the following automaton: 


r = 


}'\K 


,..., R'{, E, A", A",..., A'/, P", F", F",..., F") 


For any pair of states r, r' G K„ U K'j we can assume a state r fl r' accepting the intersection 
of the stacks accepted from r and r'. This comes from the fact that stack automata form 
an effective boolean algebra [5]. The states and transitions in R",...,®", A",..., A", and 
F",... ,F" come from this construction. 

For qi GQ and (72 G Q', we define ( 71,2 to be in Q" such that, for every <71 ^i/m {q[,ri) and 
92 t-j/m ( 921 ^ 2 ) , we add the transition gi ,2 ^i/m ( 9 i, 2 >»'i nr 2 ). 

We have 91,2 G IF" if and only if qi S F and q2 g¥'. 

A run exists in T" if and only if there is a run in P and one in T', by construction. □ 
Proposition A. 4. Given an automaton, 


T = (Q, Rn,..., Ri, E, A, A„, ...,Ai,P,F,F„,...,Fi) 

there is an automaton f which accepts a tree if and only if it is not accepted by T. 

Proof. We define the complement as follows. We first assume that for each r G R„ we also 
have r G R„ that accepts the complement of r. This follows from the complementation of stack 
automata in ICALP 2012 [S]. 

Then, we define P' to be the complement of P, which contains 

P' = (Q^..., Ri, E, A', An ,..., Ai,P,F',F„,...,Fl) 


where, letting mmax be the maximum number of children that can appear in a tree accepted 
by P (this information is easily obtained from the transitions of P ), we have 

Q' = U (2'')'" ■ 

That is, the automaton will label nodes of the tree with a set of states for each child. The ith 
set will be the set of all labels q that could have come from the ith child in a run of P. Since 
all children have to agree on the q that labels a node, then a label (Qi, ■ ■ ■, Qm) means that 
the set Qi n ■ • • n Qm is the set of states q that could have labelled the node in a run of P. 
The transition relation A' is the set of transitions of the form 


{Qi,... ,Q m) i/m HQl, • • • , QmO? 

where m,m' < rumax and for all j p i, the set Qj is any subset of Q, and Qi Q Q and r are 
such that 

• r = Pi rq, and 
<jeQ 
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• if q € Qi then 


Tq = riU ■ ■ - Uri 


where q ^i/m (9i) ^i)) • • • ? Q ^i/m (®) ^i) ^-re all transitions to q via the ith of m children 
with the property that 

(?, G g'l n • ■ • n Q'^, 


for all j. 


• if q ^ Qi then 


rg = n n ■ ■ ■ n n 


where q -i—i/m (qitfi), ■ ■ ■, q ^i/m {qi-,Ti) are all transitions to q via the ith of m children 
with the property that 

qj G Qi D ■ ■ ■ O 


for all j. 


In each transition, the sets Qj for all j ^ i have no constraints. The automaton effectively 
guesses the set of labels that could have come from sibling nodes. The set Qi contains all 
labellings that could have come from the ith child given the set of labellings that could have 
labelled the child. The final condition above insists that transitions to any state not in Qi could 
not have been applied to the child. 

The set of accepting states is 


{(Qi, ..., Qm) I $qf G iF.qf G Qi fl • ■ • fi Qm } ■ 


For the initial states, we alias p = {p} 

We prove that this automaton is the complement of T. Associate to each node v the set 
such that q G Qv iff there is some (partial, starting from the leaves) run of T that labels v with 
q. We prove that all runs of T' label v with some {Qi ,..., Qm) such that Qy = Qi Ci ■ ■ ■ Ci Qm- 

At the leaves of the tree this is immediate since T must label the node with some p, and T' 
must label it with {p}. 

Now, suppose we have a node v with children ril, ..., vm and the property holds for all 
children. 

Take some q G Qv Let q <—iim ■ ■ ■, q ^mjm {q-m, ^’m) be the transitions used in the 

run labelling v with q. For each i we must have by induction qi appearing in all sets labelling 
vi in a run of T'. Now suppose 1~' labels v with (Qi,..., Qm) and moreover q ^ Qi. Then, by 
construction, we must have that the stack labelling vi is accepted from ri. However, since the 
stack must have been accepted from we have a contradiction. Thus, q G Qi- 

Now take some q ^ Qv Thus, there is some i such that, letting q <^i/m (9i)?'i)) 
q ^i/m {qiiTi) be all transitions with qj appearing in Qvi, we know the stack labelling vi is not 
accepted from any rj (and is accepted from all fj). Now suppose 'T' labels v with (Qi,..., Qm) 
and moreover q G Qi. Then, by construction, we must have that the stack labelling vi is 
accepted from some Vj, which is a contradiction. Thus, q ^ Qi. 

Hence Qy = QiC\ ■ ■ ■ D Qm as required. 

Now, assume there is some accepting run of T via final state qf. Assume there is an 
accepting run of T'. Then necessarily the run of T' has as its final label some tuple such that 
qf G Qi n • ■ • n Qm- This contradicts the fact that the run of T' is accepting. 

Conversely, take some accepting run of T'- The accepting state {Qi, - - -, Qm) of this run 
has no final state q/ G Qi 11 - - - fl Qm and thus there can be no accepting run of T. □ 


19 



A.3 Membership 

In this section we prove the following. 

Proposition A.5. The membership problem for annotated stack tree automata is in linear 
time. 

Proof. We give an algorithm which checks if a tree t is recognised by an automaton. 

We start by labelling every leaf labelled with control p with {p}. 

For every node v such that all its sons have been labelled, we label it by every state q such 
that there exist transitions q ^xjra ('ll)’"i) >' ‘ '^m/m such that each son vi is 

labelled by a set containing qi and the stack labelling vi is accepted by r^. Note, checking the 
acceptance of a stack from can be done in linear time [5]. 

If we can label the root by a final state, the tree is accepted (as at each step, if we can label 
a node by a state, there is a run in which it is labelled by this state), otherwise, it is not. 

As knowing if a stack is accepted from a given state is linear in the size of the stack, and 
we visit each node once, and explore with it once each possible transitions, the complexity of 
this algorithm is linear in the size of the tree. □ 

A. 4 Emptiness 

In this section we prove the following. 

Proposition A.6. The emptiness problem for annotated stack tree automata is in PSPACE- 
complete. 

Proof. We give the following algorithm: 

We set Marked = P. 

If there exists a q which is not in Marked such that, there is some m such that for each 
i < m we have q ^ijm with q' G Marked and there exists a stack recognised from r', 

we add q to Marked. 

We stop when there does not exist such a state. 

If Marked Ci J- = fh, the recognised language is empty, otherwise, there is at least one tree 
recognised. 

There are at most |Q| steps in the algorithm, and the complexity of the emptiness problem 
for the states r is PSPACE. Thus, the algorithm runs in PSPACE. □ 

A.5 Automata Transformations 

In this section we show that annotated stack tree automata can always be transformed to meet 
the assumptions of the saturation algorithm. 

Take a stack tree automaton 

T = (Q, Kn,..., Ml, E, A, An,, ...,Ai,P,F,Fn,...,Fi) . 

We normalise this automaton as follows. It can be easily seen at each step that we preserve the 
language accepted by the automaton. 

First we ensure that there are no transitions 


P {q,r) . 
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We do this by introducing a new state qp for each p S P. Then, we replace each 



P i/m 

iq,r) 

with 




Qp ^ i/m 

■ {q,r] 

and for each 




Q ^i/m 

{P,r) 


in the resulting automaton, add a transition (not replace) 

q ^i/m iqp,r) . 

Thus, we obtain an automaton with no incoming transitions to any p. 

To ensure unique states labelling transitions, we replace each transition 

q ^i/m iq,r) 


with a transition 

q i/m (9 

where there is one for each pair of states q, q'. Then when n > 1 we have a transition 

^( 9 , 9 ') ^ each r R. Notice, if there are multiple possible r then R accepts 

the union of their languages. Furthermore, has no incoming transitions. Moreover, we 

do not remove any transitions from r but observe that r is no longer initial. When n = 1 we 
have a transition r(^r,R) -^ R' for each r - > R'. 

i?br ^br 

We then iterate from k = n down to fc = 3 performing a similar transformation to the above. 
That is, we replace each transition in the order-A: transition set 



with a transition 


r 


r(r,R) 


> R 


where there is one for each pair of r and R. Then we have a transition R' for 

each r' fo-5- R'. Again, if there are multiple possible r' then jj) fo-5- R' accepts the union of 
their languages. Furthermore, r(^r,R) has no incoming transitions. 

Finally, for A: = 2 the procedure is similar. We replace each transition in the order-2 
transition set 


r 


r' 



R 


with a transition 


where there is one r(j..R) for each pair of r and R. Then we have a transition ^ > R' for 

Rhi 

each r' —^ R'. 

Rhr 
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A.6 Alternative Tree Automaton Definition 

An alternative definition of stack tree automata would use transitions 


instead of 

q ^1/ m {qi,ri) j ^ Q i rnjm (.qmj m) • 

However, due to the dependency such transitions introduce between ri,..., r™ it is no longer 
possible to have a unique sequence ri,... ,rm for each sequence q,qi,..., q^ (one cannot simply 
union the candidates for each r^). 

For example suppose we had q ^ (91, ri), (921 r2) and q <r- (91, r(), (92, r^) where ri accepts 
si, r[ accepts s^, r2 accepts S2, and accepts s'2. If we were to replace these two transitions 
with q <r- (91, ri U r(), (<72, ^2 U r^) we would mix up the two transitions, allowing, for example, 
the first child to be labelled by si and the second by S2- 

At a first glance, our tree automaton model may appear weaker since we cannot enforce 
dependencies between the candidate r^s in 

9 ^ l/m (91? ri) , . . . , <7 ^ mjm {qmj '^m') ■ 

However, it turns out that we can overcome this problem with new copies of q. 

That is, suppose we had a set A of transitions of the form 

9 ^ {qi,ri) ,...,{qm,rm) ■ 

We could simulate the resulting tree automaton using our model by introducing a state (9, ( 5 ) 
for each q and 5 . 

Given a transition S of the above form, we can use a family of rules 

(q,^) ^l/m ((9l,<5i),ri),...,(9,5) {{qm, Sni), Tm) 

for all sequences ( 5 i,..., dm of A. (Note that, although there are an exponential number of such 
families, we can create them all from a polynomial number of transitions). Note that when 
9i = p we would use p on the right hand side instead of (9^, Si) (recalling that p has no incoming 
transitions). 


B Completeness of Saturation 

Lemma B.l (Completeness of Saturation). The automaton T obtained by saturation from To 
is such that Preg(7o) ^ C{T). 

Proof. Completeness is proved via a straightforward induction over the length of the run wit¬ 
nessing t G Preg(7o)- In the base case we have t G C{To) and since T was obtained only by 
adding transitions to To, we are done. 

For the induction, take t G 0(t') where t' G Pre^)"/!)) and by induction T has an accepting 
run of t'. We show how the transitions added by saturation can be used to build from the run 
over t' an accepting run over t. 

We first consider the cases where 0 adds or removes nodes to/from the tree. The remaining 
cases when the stack contents are altered are almost identical to the ICALP 2012 proof, and 
hence are left until the end for the interested reader. 
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• When 9 = p ^ {pi,... ,Pm) was applied to node of t, we have 

t' = t[t,^ -)■ s] [t,^l (pi,s)] • ■■[Uj'm iPm,s)] 

where (p, s) labelled . 

Take the initial transitions over and 1 to m of the accepting run of t' 

Q ^ i/m' {Q1: ^7 Rbr: • 7 

and 

Ql ^ l/m {Pl^ ^7 -^br7 -^17 ■ • ■ 7 -^n) 7 ■ • • 7 ^ m/m {Pm^ ^7 -^br7 -^1 7 ■ • ■ 7 ) 

where the components of s were accepted from i?br 7 Ri, ■ ■ ■ j Rn and Rl, , R\, ..., 

pm pm 

’ -^1 ’ ■ • ■ ’ • 

By saturation we also have 

Q ^ i/m' (p? n, R\yY^ Rl 7 • ■ • 7 Rjl) 

where R[^^ = i?br U U • • • U and for all k, we have = i?i U U ■ • • U i?™ from 
which we obtain a run of 7” over t by simply replacing the transitions of the run over t' 
identified above with 6. 

• When 9 = (pi,... ,pm) ^ P was applied to nodes to of t, we have t' = 

t\ {t.j 7 ■ • ■ 7 t.j+m-i } and ..., were the only children of their parent v. Moreover, 
let (pi,si) label t,., and .. .and, {pm,Sm) label and v have the stack s in t and 

(p, s) label V in t'. 

The initial transition over v of the accepting run of t' was from state p By saturation we 
have 


— p i i/m (Pl7 0-1,0, 0, • ■ • , 0) , • ■ • 7 ^m — P m/m ^Pm^ (^m^ 0, 0, . . . , 0) 

for the Oi,..., Um at the top of si, ..., respectively. We get from this a run of T over 
t by adding i5i to 5m to the run over t' to read the nodes to 

We now consider the cases where 9 applies a stack operation to a single node t 'of t'. Let 

5 — Q ^ i/m {P 7^7 -^br 7 -^1 7 ■ ■ • 7 Rm ) 

be the transition applied at node in the run. Additionally, let s' be the stack labelling the 
node, and p' be the control state. 

There is a case for each type of stack operation, all of which are almost identical to the 
ICALP 2012 proof. In all cases below, t has the same tree structure as t' and only differs on 
the labelling of t',. = . 

• When 9 = p p' then we also added the transition 


to T. We have 


5 — Q ^ i/m (P 7 ^7 -^br 7 Ai, . . . , Rm ) 


s' = :i Si :2 • • • Sr. 


and since is labelled by p and the stack 

s = :i Si :2 • • • '-n Sn 


we obtain an accepting run of t by simply replacing the application of <5' with S. 
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• When 9 = p 


p' then when fc > 1 we have 


push 


s' = ■■2 ■■■ -n Sn ■ 


Let 

Ri ^ 

^br 

be the first transitions used to accept . From the saturation algorithm we also added 

^ Q ^ i/m n, R\^-^ , R\ , R 2 ; • • • ; Rk—11 Rk U Rhr ; Rk+1 5 ■ • ■ 5 Rn^ 
to T. Since is labelled by p and the stack 

s = a®*”' :i Si :2 • • • s„ 


we obtain an accepting run of t by replacing the application of S' with 6. This follows 
because s'j^ was accepted from R'^, Sbr from R'^^ and Sk was accepted from both Rk and 

i?br- 

When fc = 1 we have 

s' = a®i :i a®'=‘'si •■2 ■ ■ ■ -n Sn ■ 


Let 

Ri ^ 

K. 

be the first transitions used to accept a®'"’’. From the saturation algorithm we also added 


S — Q i ijm {P: -^bn ^1 ^ -^br; R2^ ■ • ■ 5 Rn) 
to T. Since is labelled by p and the stack 

s = a®*”' :i Si :2 • • • s„ 


we obtain an accepting run of t by replacing the application of S' with S. This follows 
because s^ was accepted from R'^, Sbr from R'^^^ and Sk was accepted from both Rk and 

i?br- 

• When 0 = p p' then we have 


s' = Sk -k Sk -k+i Sk+i ■ ■ ■ '-n Sn and Sk = a®*" :i s'^ -.2 ■ ■ ■ '-(k-i) Sk-i ■ 

Let 

Rk^(R'^,...,R',) 

^br 

be the transitions use to accept the first character of the second appearance of s^. From 
the saturation algorithm we also added S = 

Q t ijm {p^ Rhr U Riqyj R\ U R-^ , R2 U R2 5 ■ • ■ ; Rk— 1 U Rk — \ 1 Rk ; ^k+1 5 ■ • ■ ; Rn) 
to T. Since is labelled by p and the stack 


s = a®'"'' :i Si :2 • • • s„ 


we obtain an accepting run of t by replacing the application of S' with S. This follows 
because stacks si to Sfc_i are accepted from i?i and to Rk-i and R'k_i respectively, 
Sbr from i?br and i?b,., and the remainder of the stack from R'f., Rk+i, ■ ■ ■, Rn- 
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• When 9 = p p' Then we have 

S = Sk ^k-\-l ' ' ' 'n 


and 


s = a®’’’- :i Si :2 • • • -n Sr. 


for some a, Sbr, si, ..., Sk-i- We break down 6' to find such that 

ip',rk,Rk+i,---Rn) 

where rk accepts Sk and Rk+i through to Rn accept Sk+i through to s„ respectively. By 
saturation we added the transition 

S = q ^t/m, (P, a, 0,0,..., 0, {rk} , Rk+i ,---,Rn) 

from which we obtain an accepting run of s with p as required. 

tTri n collapse^ . .. 

When 0 = p - p Ihen we have 


and 


^ — ^br5 ‘fc+l ^k-\-l '71 


s = a®’’" :i Si :2 • • • s,; 


for some a, Sbrj si, ..., Sk- We break down S' to find Cbr such that 

Q ^ i/m 1 rhr j Rk+ 1 5 ■ • • Rn ) 

where Vk accepts Sbr and Rk+i through to accept s^+i through to s„ respectively. By 
saturation we added the transition 

S = q i i/m (Pi {^br }5 0? • ■ • 5 0; Rk+1 1 ; Rn} 

from which we obtain an accepting run of s with p as required. 

Thus, in all cases we hnd an accepting run of R, which completes the proof. □ 


C Soundness of Saturation 

We prove that the automaton T constructed by saturation only accepts trees in Preg(7o). The 
proof relies on the notion of a “sound” automaton. There are several stages to the proof. 

• We assign meanings to each state of the automaton that ultimately capture inclusion in 

Prea(ro). 

• We use these meanings to derive a notion of sound transitions. 

• We dehne a sound automaton based on the notion of sound transitions. 

• We show sound tree automata only accept trees in Preg(7o)- 

• We show the initial automaton To is sound, and moreover, each saturation step preserves 
soundness, from which we conclude soundness of the saturation algorithm. 


25 



To define the meanings of the states we need to reason about partial runs of our stack tree 
automata. Hence for a tree automaton 'T we define 

Cw{T) 

to accept trees over the set of control states Q (instead of P). That is, we can accept prefixes 
of trees accepted by T by labelling the leaves with the states that would have appeared on an 
accepting run of the full tree. 

Furthermore, we write 

to denote the set of trees t in Cw{'T) such that t has m leaves and the “control” states (which 
now includes all states in Q) appearing on the leaves are qi,... ,qm respectively. As a special 
case, Cq^{T) for all gy € F contains only the empty tree. 


C.l Meaning of a State 

We assign to each state of the automaton a “meaning”. This meaning captures the requirement 
that the states p of the automaton should accept Preg(7o), while the meanings of the non¬ 
initial states are given by the automaton itself (i.e. the states should accept everything they 
accept). For states accepting stacks, the non-initial states again have the trivial meaning (they 
should accept what they accept), while the meanings of the initial states are inherited from the 
transitions that they label. 

We write q to denote a sequence qi,... ,qm and jgi,..., is m. 

Let V be a partial mapping of nodes to states in Q, let 0 be the empty mapping, and let 


V[v —>■ g](u') 


q V = v' 

V(u') V ^ v' . 


We use these mappings in definition below to place conditions on nodes in the tree that restrict 
runs witnessing membership in Preg(7o)- 

Definition C.l [t If t has m leaves labelled qi,...,qm respectively then t 

qi,...,qm whenever t € Preg(£w(Io)) (ind there is a run to some t' € CwOo) such that - 
fixing an accepting run of To over t' - for all nodes v of t with V(u) = q, then 

• if q G ¥ then v appears as a leaf during the run and on the first such tree in the run, v 
has control state q. 

• if q ^ P then v is not a leaf of any tree on the run and the accepting run of T over t' 
labels V with q. 

As a special case, when t is empty we have t ^0 qf and qj S F. 

Once we have assigned meanings to the states of Q, we need to derive meanings for the 
states in ]R„,... ,]Ri. We first introduce some notation. 


t i (^7l,Si),..., {qm ,^m) — ^ [f ^ ^ ^ t (f/rn j ^m)] 

when t is non-empty and s is the stack labelling t,. in t. When t is empty we have 

t+o (gi,si) 
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is the single-node tree labelled by (< 71 , si). 

In the definition below we assign meanings to states accepting stacks. The first case is the 
simple case where a state is non-initial, and its meaning is to accept the set of stacks it accepts. 

The second case derives a meaning of a state in Rfc by inheriting the meaning from the 
states of Rfc+i. Intuitively, if we have a transition rfc+i Rk+i then the meaning of is that 
it should accept all stacks that could appear on top of a stack in the meaning of Rk+i to form 
a stack in the meaning of . 

The final case is a generalisation of the above case to trees. The states in K„ should accept all 
stacks that could appear on a node of the tree consistent with a run of the stack tree automaton 
and the meanings of the states in Q. 

Definition C.2 (s |= r). For any R C and any order-k stack s, we write s \= R if s \= r 
for all r G R. We define s \= r by a case distinction on r. 

1. When r is a non-initial state in then we have s \= r if s is accepted from r. 

2. If rk is an initial state in with k < n labelling a transition rk+i Rk+i G Afe_|_i then 
we have s |= rfc if for all stacks s' such that s' |= i?fc+i we have s :k+i s' |= rk+i- 

3. We have s |= r where q ^i/m if for all transitions 

Q ^ l/m : ■ ■ • iQ ^ m/m ^m) 

trees t |=v qi, q, 92 ond stacks Si,..., such that 

f Tj ( 51 , Si) , . . . , {qmi Sm) —xj] 9l J 9l I • ■ ■ ’ Qmi Q2 

where j = | gi | -I- 1 , we have 

j ( 91 J ) 5 • ■ • 5 (9i— 1 ) Si— 1 ) , {q ) s) , {qi+l , Si+i) , • . • , {qmj Sm) 

ig] 9lj ■ I 9i—Ij 9 J 9i-l-li ■ • • I 9m, 92 ■ 

Note that item [3] of the definition of |= contains a vacuity in that there may be no si,..., Sm 
satisfying the antecedent (in which case all stacks would be in the meaning of r). Hence, we 
require a non-redundancy condition on the automata. 

Definition C.3 (Non-Redundancy). An order-n annotated stack tree automaton 

T = (Q, Rn,..., Ri, S, A, An,, ...,Ai,P,F,Fn,...,Fi) 

is non-redundant if for all q G Q we have that either q has no-incoming transitions, or there 
exist 

9^1/ m ( 91 , ^ 1 ) , ■ ■ ■ , 9 ^ m/m (9m, ^m) G A 
such that for all t 9i, 9, 92 there exist si,..., Sm such that 

^ “fj ( 91 , Sl) , ■ • • , isimi Sm) Hyjt, —ig] 9l, 9l, ■ ■ • , 9m, 92 

where j = 1911 -I- 1 . 

This property can be easily satisfied in To by removing states 9 that do not satisfy the 
non-redundancy conditions (this does not change the language since there were no trees that 
could be accepted using 9 ). We show later that the property is maintained by saturation. 
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C.2 Soundness of a Transition 

After assigning meanings to states, we can define a notion of soundness for the transitions of 
the automata. Intuitively, a transition is sound if it respects the meanings of its source and 
target states. 

One may derive some more intuition by considering a transition g —>■ g' of a finite word 
automaton. The transition would be sound if, for every word w in the meaning of g', the same 
word with an a in front is in the meaning of g. That is, the transition is sound if an a can 
appear on anything accepted from q'. The following definition translates the same idea to the 
case of stack trees. 

Definition C.4 (Soundness of transitions). There are two cases given below. 

1. A transition Vk —^ (Ri,... ,Rk) is sound if for any si \= Ri, ..., Sk \= Rk md Sbr |= -Rbr 

^br 

we have a'**’' :i si :2 • • • -k Sk H 

2. A transition 

g i i/m {Q j Rhr^ Rlj ■ • ■ j Rn) , 

is sound if for all trees t |=v qi,q,q 2 and stacks si ^ Ri, ■. .Sm H and Sbr H -^br 
and for all 

Q ^ l/m (QIi ri) , . . . , g i rajm (.Qmj ’^m) 

and stacks s[,, sl^ such that 

^ j (91 j ®l) ) ■ • ■ ) (^m, Hy 7 ) ■ • ■ ) 9 m7 92 

where j = |gi| + 1, we have 

t-\-j iqi,s [), . . . , , (q',s) , ,..., 

—S'*?] * ■ * 7 qi—1)q 1 qi+ii • ■ • ? qm^qi • 


where 


s = a'**’' :i Si :2 • • • -n s„ . 


In the proof, we will have to show that saturation builds a sound automaton. This means 
proving soundness for each new transition. The following lemma shows that it suffices to only 
show soundness for the outer collections of transitions. 

Lemma C.l (Cascading Soundness). If a transition 

Q ^ i/m (g , U, I^br 7 .^17 ■ • ■ 7 R'n') 7 

is sound then all transitions rk > (i?i,..., Rk) appearing within the transition are also sound. 

^br 

Proof. We march by induction. Initially k = n and we have r > (i?i,..., i?„) where g ^i/m 

(gi, r). To prove soundness of the transition from r, take si ^ i?), ..., s„ ^ R)^, and Sbr H -^br- 
We need to show 

s = :i Si :2 • • • m Sn h ^ • 
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This is the case if, letting j = |gi|, for all transitions 


Q ^ l/m (QIi ^l) : • • • :Q t rajm. {Qrm ’^m) 

trees t 9i, 9) 92 and stacks si,..., Sm such that 

^ “fj (91 j ®l) ) ■ • ■ ) (9m, Sjn) Hv[t, —>-q] 9l, 9l, ■ • ■ , 9m, 92 

we have 

^ "f i (91, ) , • • • , (9*—1, —1) , (9 , 'S) , (9i+l, 'Si+l) , ■ • ■ , (9m, Sm) 

Nv[t, .^q] ■ ■ ■ ’ 9i —1,9,9i+l, • ■ • , 9m, 92 ■ 

These properties are derived immediately from the fact that 

Q i/m (<7 , a, -/^br, Rl , ■ • ■ , -^n) , 

is sound, hence we are done. 

When k < n we assume rk+i (i?i,..., Rk+i ) is sound and rk+i Rk+i- We show 

Rhi 

rk (i?i,..., Rk) is also sound. For this, we take any stacks si |= i?i, ■ ■ ■ Sk H ^k, and 
Rbi 

Sbr 1= Rhr- We need to show 

s = Si -.2 ■■■ --k Sk\=rk . 

For this, we need for all s' ^ Rk+i that s :(fc+i) s' \= Vk+i- From the soundness of rk+i ° > 

^br 

(i?i,..., Rk+i) we have 

s :(fc+i) :i Si :2 • ■ • :(fe+i) ®fc+i h ^fc+i 

and we are done. □ 


C.3 Soundness of Annotated Stack Tree Automata 


We will prove the saturation constructs a sound automaton. We first define what it means for 
an automaton to be sound and prove that a sound automaton only accepts trees in Preg(7o). 

Definition C.5 (Soundness of Annotated Stack Tree Automata). An annotated stack tree 
automaton 7” is sound if 


1. T is obtained from To by adding new initial states to Mi,... ,M„ and transitions starting 
at initial states, and 

2. in R, all transitions 

9 ^ i/m (q , (Z, T?br, Rl , ■ • • , R'n') 


and 


rk (Rl, ■■■,Rk) 

Rbr 


are sound, and 

3. R is non-redundant. 
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We show that a sound annotated stack tree automaton can only accept trees belonging to 
Preg(7o)- In fact, we prove a more general result. In the following lemma, note the particular 
case where t € Cq{T) and g is a sequence of states in P then we have t € VYeg{To). That is, 

/:(r) c Prea(ro). 

Lemma C.2 (Sound Acceptance). Let T he a sound annotated stack automaton. For all 
t € Cq{T) we have t |=0 q. 

Before we can prove the result about trees, we first prove a related result about stacks. This 
result and proof is taken almost directly from ICALP 2012 [^. 

Lemma C.3 (Sound Acceptance of Stacks). Let F be a sound annotated stack automaton. If 
T accepts an order-k stack s from r G Mfc then s ^ r. 

Proof. We proceed by induction on the size of the stack (where the size of an annotated stack 
is defined to be the size of a tree representing the stack). 

Let s be an order-fc stack accepted from a state r S Mfc. We assume that the property holds 
for any smaller stack. 

If s is empty then r is a final state. Recall that by assumption final states are not initial, 
hence r is not initial. It follows that the empty stack is accepted from r in To and hence s ^ r. 

If s is a non-empty stack of order-1, then s = a®*""' q si. As s is accepted from r, there 
exists a transition r - > (Ri) such that si is accepted from Ri and Sbr is accepted from Rbr- 

By induction we have si |= i?i and Sbr |= Rbr- Since the transition is sound, we have s |= r. 

If s is a non-empty stack of order-fc, then s = Sk-i -k Sk- As s is accepted from r, there 

exists a transition r ^ R such that Sk is accepted from R and Sk-i is accepted from r'. By 
induction we have Sk-i |= r' and Sk |= Rk- Thus, by the definition of Sfc_i |= r' we also have 
s = Sfe-i -k Sk \= r. □ 


We are now ready to prove Lemma IC^ fSound Acceptance). 

Proof of Lemma I C. 21 (Sound Acceptance). We proceed by induction on the number of nodes in 
the tree. In the base case, we have t G Cqj [T) for some g/ G F and t is empty. Thus, we 
immediately have t |=0 qf. 

Thus, take some non-empty t G £q(T). Let the sequence t,.,..., be the first complete 
group of siblings that are all leaf nodes and let q = gi, gi,..., gm, 92 be the decomposition of q 
such that 91 is of length (i — 1). That is, 91 ,..., label the identified leaves of t. Furthermore, 
let si,..., Sm be the respective stacks labelling these leaves. Take the set of transitions 

q^i/ m (<Zl; ^ 1 ) ) ■ • • <Z ^m/m (.Qrm ^m) 

that are used in the accepting run of t and the identified leaves. Let t' be the tree obtained by 
removing t,.,..., . We have t' G Cq^ ^q^g^ (T) and by induction t' ^0 9i, 9, 92 ■ 

Since 9 has incoming transitions and T is non-redundant, we know there exists 

q t l/m (Ti t'^i) 1 ■■■ q t m/m (^mJ ^m) 

and s'l,..., such that 

t Tz (9i: ^i) , . . . , {q^n^ ^m) Tl; Tl; ■ • ■ ; Tm5 T 2 • 
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Since si ^ r\ we infer from the definition of ^ at ri that 

t' +z (9l,Sl),(gi,S2).---.('?m.Sm) l= 0 [t.,^ 9 ] . 91 > ^2 . • ■ • . C. 92 ■ 

By repeated applications of the above for each 1 < j < m, we obtain 

t ~^i (91 j Si) j (92 I S 2 ) , • ■ • , ((Zm j Sin) ^ 0 ^ 4 ,. 9l i 9l j • ■ ■ ! 9m j 92 ■ 

This implies t ^0 9 since ^0 is less restrictive than _^gj- O 

C.4 Soundness of Saturation 

We first prove that To is sound, and then that saturation maintains the property. 

Lemma C.4 (Soundness of To). The initial automaton To is sound. 

Proof. It is trivial that To is obtained from To, and moreover, we assume the non-redundancy 
condition. Hence, From Lemma 1C.II (Cascading Soundness) we only need to prove soundness 
of non-initial transitions of the form 


Tk ^ {Rl,...,Rn) 

^br 


and for transitions in A. 

We first show the case for non-initial 


Tk ^ {Rl,...,Rn) 

^br 

which is the same as in ICALP 2012. First note that i?i,..., i?„ and i?br do not contain initial 
states. Then we take Si \= Ri, ...Sk \= Rk and Sbr \= Rhr- We have to show :i Si 12 
■ ■' -k Sk \= rk. In particular, since is not initial, we only need to construct an accepting run. 
Since Ri and i?br are not initial, we have accepting runs from these states. Hence, we build 
immediately the run beginning with - > (i?i,..., i?„). 

Rhr 

We now prove the case for 

Q ^ i/m (9 , U, TZbn .^Ij ■ • ■ 1 Rn) ■ 

Thus, take any si ^ i?i, ■ ■. Sm |= Rm, and Sbr |= Rhr and any tree t 9 i) 9 ) 92 and, letting 
j = | 9 i| + 1 , any 

9 ^ 1 / m (9lil*l)j---9 ^ mjm (9m j I’m) 

and any s'^,..., such that t +j {qi,s[)... {qm, s'^) 91 , 91 ,..., q^^ q-m- Since initial 

states have no incoming transitions, we know 9 is not a control sate. We thus have a run p from 
t +j {qi,s[)... (qm, s'^) to some t' G Cw{T) such that t,. does not appear as a leaf of any tree 
in the run. 

To prove soundness we argue that 

t j (9lj S]^) , . ■ • , (9i-lj ■Si-l) J (9 ) s) , (9i-|-l) ■^i-l-l) ) ■ ■ ■ ) (9m) Sm) 

. — 45 ] 9l) 9l) ■ ■ • ) 9i—1) 9 ) 9i-|-l) ■ ■ • ) 9m) 92 (1) 
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where s = a®*’' :i si :2 • ■ • -n Sn- To do so, we take the run p obtained above and build a run p' 
by removing all operations applied to nodes that are descendants of Observe that p' can 
be applied to 

t (gi, s'l) ,..., (gi_i, s-_i) , (g', s ), (g^+i, s'+i) ,..., (g^, s^) 

since none of the operations apply to a descendant of By applying this run we obtain a 
tree t" which is t' less all nodes that are strict descendants of t,. i and where i is labelled by 
(g', s). Thus, we take the accepting run of t' witnessing t' € CwiTo), remove all nodes that are 
strict descendants of and label by q'. This gives us a run witnessing t" S C-wiJh) by 
using 

Q ^ i/m , G, -Rbr; ■ j Rn) ■ 

at and the accepting runs from the non-initial Rhr^ Ri^-'-^Rn- This gives us m as 
required. □ 

We now show that, at every stage of saturation, we maintain a sound automaton. 

Lemma C.5 (Soundness of the Saturation Step). Given a sound automaton T, we have T' = 
J-{T) is sound. 

Proof. We analyse all new transitions 

„ , _ tr, n Ijnew nnew nnewN 

g i i/m \Pi ^7 1 1 • • ' 1 ) ' 

Proving these transitions are sound and do not cause redundancy is sufficient via Lemma |C.II 
(Cascading Soundness). 

Let us begin with the transitions introduced by rules that do not remove nodes from the 
tree. We argue that for all trees t |=v gi,g, g 2 and stacks Si (= and 

Sbr h 

q^i/ m mjm ^m) 

and stacks 5 ^,..., 5 ^ such that 

^ Tj {QI-! , . • ■ , {Qm-! ^m) ■ i Qm-! Q2 

where j = |gi| -h 1 we have, letting 

ti =t+j (gi,si) , (g*-i,s'_i) , (p,s), (g,+i,s'+i) ,..., {qm,Sm) 
and q{ = gi, gi,..., gi_i and g^ = gi+i,..., g™, g 2 that 

'^v[t..^q\ 9l7Pi92 ( 2 ) 

where s = '-i si \2 ■ ■ ■ '-n Sn- 

We proceed by a case distinction on the rule 9 which led to the introduction of the new 
transition. In each case, let t 2 S 9{ti) be the result of applying 9 at node t,.i. In all cases 
except when 9 removes nodes, g already has an incoming transition, hence we do not need to 
argue non-redundancy (since T is non-redundant). 

• When 9 = p' p we derived the new transition from some transtion 

„ y_ (h onew pnew pnew\ 

and since this transition is sound t 2 (=v[t .->. 9 ] We take the run witnessing 

soundness for t 2 and prepend the application of 0 to ti. This gives us a run witnessing 
m as required. 
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• When 0 = p' 


' ^ p, then when fc > 1 we derived the new transition from some 

Q ^ i/m {p,a,RhT,Rl,R 2 , ■ ■ ■ ,Rn) 
and i?i > R\ and the new transition is of the form 

9 ^3/ m (p, n, -^br5 -^1J -^2; • ■ - ; Rk—1 ; Rk U Rhr: Rk+1 j ■ - ■ i Rn^ 
Furthermore, we have t 2 has at i the stack 

a®'' :i o®*’'- :i Si 12 • • • s„ 


and we have s^ ^ = Rk ^ Rhr and Si |= R^™ = R[ and from soundness of 

Ri —^ R[ we have a®*’’' :i si |= i?i. Thus, we can apply soundness of the transition from 

^bt 

p' to obtain t 2 |=v[t, .^ 5 ] 9 ^JP^ 92 ■ We prepend to the run witnessing this property an 
application of 9 to ti at node t,.i to obtain a run witnessing ([5]) as required. 

When fc = 1 we began with a transition 

Q ^ i/m (p',a, i?br, i?l, i?2 ■ ■ ■ , Rn) 


and Ri — > R[ and the new transition is of the form 


Q ^ j/m (P; a, R}^j-: R\ U .Rbri ^2^ • ■ • : Rn) ■ 
Furthermore, we have t 2 has at t^.i the stack 

:i a®*”- q Si :2 • • • m s„ 


and we have Si |= = R'l U i?br and from Sbr |= R^'^ = R'\j^ and soundness of 

Ri —^ R'l we have a®*”" q si |= R'l- Thus, we can apply soundness of the transition 

^br 

from p' using si |= Rhr (since si \= = i?( U i?br) to obtain t 2 l=v[t. .^ 5 ] 

We prepend to the run witnessing this property an application of 9 to ti at node to 
obtain a run witnessing ([5]) as required. 


• When 9 = p 


pushfc 

- >P 


we started with a transition 


(/ t ijm {p •) a, Rhr^ .^1; • ■ - ; Rn ) 


and Rk 




.., R'j .) and the new transition is of the form 


(/ i j/m {/Pi a, .^br U Rhn .^1 U Ri , . . . , Rk — 1 U Rk—i , Rk i Rk+l i ■ ■ ■ i Rn^ ■ 

Let s' = a®*’' q Si :2 • • • -k-i Sk-i, we have that t 2 has at node the stack 

a®*’' q Si :2 • • • :(fc-i) Sk-i -k s' q Sfc+i :(fe+i) ■ ■ ■ -n Sn ■ 

Note, by assumption we have si |= = i?i Ui?(, ..., Sfe_i |= Rk™i = i?fe_i and 

Sbr 1= Rht'^ = Rhr U R'l,,.. Thus from soundness of Rk —^ {R'n ..., R'k) we have s' (= Rk- 

^br 

Consequently, from the soundness of the transition fromp' we have t 2 Hv[i .-s-ij] 92 - 

We prepend to the run witnessing this property an application of 0 to ti at node to 

obtain a run witnessing ([ 2 ]) as required. 
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• When 9 = p p' we derived the new transition from 

q^^/m {p',rk,Rk+l,---,Rn) 
and the new transition is of the form 

9 t-i/m (p,a,0,0, 

The tree ^2 has labelling the stack s' = Sk ^(fc+i) ■ ■ ■ -n Sn and since Sfc+i |= Rk+i, • • •, 
Sn Rn we have from the definition of |=v ^-nd Sk |= rk that t2 |=v|'( 9^,P^92■ 

before, we prepend to the run witnessing this property an application of 6 to ti at node 
i to obtain a run witnessing ([2]) as required. 

n collapse^, , 

• When U — p - > p we began with a transition 

Q ^ i/m 

and the new transition has the form 


9 ^ i/m {P^ * ■ * ; Rk +1 , ■ ■ • , Rn') 

The tree t2 has labelling the stack s' = Sbr d^+i) ■{k+2) -n Sn and since 

Sfe+i 1= i?fc+i, Sn 1= Rn we have from the definition of and Sbr H ’’fc that 
t2 l=v[t .^5] 9^)P^92• before, we prepend to the run witnessing this property an 

application of 9 to ti at node to obtain a run witnessing ([ 2 ]) as required. 

• When 9 = p ^ {pi ,..., Pm ') we had transitions 

9 ^ i/m , n, R\yxi Rl-j ■ ■ ■ : Rn') 


and 


q i l/m' {pi 7 ^7 -^brJ -^17 ■ ■ ■ ; Rn) t ■ • ■ i Q ^ m' jm' (^m' 7 Rhr t Rl t ■ • • 1 Rn ^ 


and the new transition added is of the form 


^ ^ onew pnew pnew\ 

q i i/m \Pj ^7 ^hr 1 7 ■ * * ; ^n / 

where R^^^^ = i?br U U ■ ■ ■ U Rl^' and for all k, we have R^^^ = RiU Rlu • ■ ■ U Rf. 
Letting t[ = 

t+j (gi,si) ,■ ■■, (9^-1, Si_i) : ( 9 ',s), (gj+i,s'+i) ,..., {qm,s'„^) 

and V' = V[t,^ q] we have from i?"™ = i?br U U ■ • ■ U R'^^ and Rf’'^ = i?i U U 
■ • • U R'P , ..., Rn’^'" = Rn U Rn U • ■ • U i?™ , and by soundness of the transition from q' that 
t'l l=V' 9^)9^92■ Thus, from non-redundancy and repeated applications of the soundness 
of the transition from pi to the soundness from pm> (as in the proof of Lemma lC. 2 h Sound 
Acceptance)) we have 

^2=^1+ (j+i) (pi) ■5) ) ■ ■ • ) {Pm ') s) |=V' [t, . i—>g'] 9 l > Pi > • ■ ■ ) Pm' > 92 ■ 

We prepend to the run witnessing this property an application of 9 to ti at node to 
obtain a run witnessing ([2]) as required. 
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The remaining case is for the operations that remove nodes from the tree. For (pi,... ,Pm) —> P 
we introduced 

P^i/m (pi,a,0,0,...,0) 


to 


P ^ mjTn {_PTni O'? 0,0,...,0) . 


We prove soundness of the first of these rules, with the others being symmetrical. Taking any 
sequence of transitions 

P-^i! m 1 • • • iP ^ mjm (^Qm^ ‘^m) 

any t qi,P, 92 and si, ..., Sm such that, letting j = | 9 i| + 1, 


i — ^Tj(9l,Sl),..., (9m, Sm) Hv[t, —9l, 9l, ■ • ■ , 9m, 92 ■ 
We need to show for any stack with top character a that 


t+j (pi,s),(92,S2),...,(9m,Sm) |=v[i.^^p] 9l, Pi, 92 , • ■ ■ , 9m, 92 • 

Take the run witnessing the property for t'. This must necessarily pass some tree where 
is exposed and contains control state p. Moreover, this is the first such exposure of the node. 
Since we assume, for all p, there is only one rule (p(,... ,P 2 ) ^ p for any p'l,... ,p(„, the node 
must be exposed by an application of 9. 

Thus, we can remove from the run all operations applied to a descendant of 1 before its 
exposure. This run then can be applied to 


t +j (Pl, S) , ( 92 , S 2 ) . • ■ , (9m, Sm) 

to witness t +J (pi, s) , ( 92 , S 2 ) , . . . , (9m, Sm) 9l,Pl, 92, ■ ■ ■ , 9m, 92- 

To prove non-redundancy, we simply take any stacks si, ..., Sm and apply 9 to t +j 
(pi, si),..., (pm, Sm) to obtain t from which the remainder of the run exists by assumption. □ 

Lemma C .6 (Soundness of Saturation). The automaton 1~ obtained by saturation from To is 
such that C{T) C Preg(7o). 

Proof. By Lemma IC.41 fSoundness of To) we have that To is sound. Thus, by induction, assume 
T is sound. We have T' = T^(T) and by Lemma fC.51 (Soundness of the Saturation Step) we 
have that T' is sound. 

Thus, the 'T that is the fixed point of saturation is sound, and we have from Lemma IC.2I 
(Sound Acceptance) that C{T) C Pre 0 (To). CT 


D Lower Bounds on the Reachability Problem 

We show that that global backwards reachability problem is n-EXPTIME-hard for an order-n 
GASTRS. The proof is by reduction from the n-EXPTIME-hardness of determining the winner 
in an order-n reachability game [5]. 

Proposition D.l (Lower Bound). The global backwards reachability problem for order-n GAS- 
TRSs is n-EXPTIME-hard. 
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Proof. We reduce from the problem of determining the winner in an order-n pushdown reach¬ 
ability game [S]- 

We first need to define higher-order stacks and their operations. Essentially, they are just 
annotated stacks without collapse. That is order-1 stacks are of the form [oi.. .am\i where 
ai ... Gm G S*. Order-A: stacks for fc > 1 are of the form [si...Sm]j. where are 

order-(A: — 1) stacks. 

Their operations are 

HOps^ = {push^ I a S E} U {push;. | 2 < A; < n} U (popj, | 1 < A: < n} . 

The pushj, and pop^ operations are analogous to annotated stacks. We define push^(s) = a :i s. 

Such a game is defined as a tuple (P, E, 7^, where P = Pi U P 2 is a finite set of control 
states partitioned into those belonging to player 1 and player 2 respectively, E is a finite set of 
stack characters, 7^ C P x E x HOps^ x P is a finite set of transition rules, and .F C P is a set 
of target control states. 

Without loss of generality, we assume that for all p G P 2 and a G E there exactly two rules 
in TZ of the form (j),a,a,p') for some a and p'. 

A configuration is a tuple (p, s) of a control state and higher-order stack. A winning play 
of a game from an initial configuration (po, sq) for player 1 is a tree labelled by configurations 
such that 

• all leaf nodes are labelled by configurations (p, s) with p £ P. 

• if an internal node is labelled (p, s) with p G Pi then the node has one child labelled by 
(p', s') such that for some (p, a, (T,p') G TZ we have s = a :i s" for some s" and s' = cr(s). 

• if an internal node is labelled (p, s) with p G P 2 then when s = a :i s' for some s' and we 
have the rules (p, a, (Ti,pi), and (p, o, (T 2 ,P 2 ), then the node has two children labelled by 
(pi,si) and (p 2 ,S 2 ) with si = o'i(s) and si = (Ti(s). 

Note, we assume that the players can always apply all available rules for a given p and a in the 
game (unless a control in T is reached). This is standard and can be done with the use of a 
“bottom-of-stack” marker at each order. 

Determining if player 1 wins the game is known to be n-EXPTIME hard [S]. This amounts 
to asking whether a winning game tree can be constructed from the initial configuration (po, sq). 

That the winning game trees are regular can be easily seen: we simply assert that all leaf 
nodes are labelled by some p G P. 

We build a GASTRS that constructs play trees. We simulate a move in the game via several 
steps in the GASTRS, hence its control states will contain several copies of the control states of 
the game. Suppose we have a rule (p, a, (J,p') where p G Pi. The first step in the simulation will 
be to check that the top character is a, for which we will use p (p, 1) where (p, 1) is a 

new control state. The next step will create a new node in the play tree using (p, 1) ^ ((p', 2)) 
which uses the intermediate control state (p', 2). The final step is to apply the stack operation 
and move to p'. When a = push;, or cr = pop;. we can use (p', 2) ^ p'. When a = push;, we 

use another intermediate control state and (p', 2) —4 (p', 3) and (p', 3) pf 

When p G P 2 with the rules (p, a, cri,pi) and (p, a, (J 2 ,P 2 ) we use p (p, 1), 

(pA) ((pi,2),(p2,2)) , 

and similar rules to the previous case to apply a and move to pi or p 2 . 
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Let the above GASTRS be Q. From the initial single-node tree to whose node is labelled 
(po, So) it is clear that a tree whose leaf nodes are only labelled by control states in T can be 
reached iff there is a winning play of player 1 in the reachability game. We can easily build a tree 
automaton To that accepts only these target trees. Since checking membership to G Preg(7o) 
is linear in the size of tree automaton representing Pregilo) we obtain our lower bound as 
required. □ 
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